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EXAMINER'S ANSWER 



This is in response to the appeal brief filed on November 30, 2007 appealing 
from the final Office action mailed on 06/01 /2007. 



Application/Control Number: 10/678,333 Page 2 

Art Unit: 2132 

(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in 
the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, and 

judicial proceedings which may be related to, directly affect or be directly 
affected by or have a bearing on the Board's decision in the pending 
appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is incorrect. 
A correct statement of the status of the claims is as follows: 
This appeal involves claims 1-5, 11, 23-27 and 33. 
Claims 12-22 are allowed. 

Claims 6-10 and 28-33 are objected to as being dependent upon a 
rejected base claim, but would be allowable if rewritten in independent form 
including all of the limitations of the base claim and any intervening claims. 

(4) Status of Amendments After Final 

No amendment after final has been entered. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 
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The appellant's statement of the grounds of rejection to be reviewed on 
appeal is substantially correct. The changes are as follows: 
WITHDRAWN REJECTIONS 

The following grounds of rejection are not presented for review on appeal 
because they have been withdrawn by the examiner: 

Claims 6-10, 12-22 and 28-32 rejected under 35 U.S.C. 102(e) as being 
anticipated by Talpade (U.S. Publication No. 2004/0148520) (filed on January 
29, 2003) 

(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the brief is 
correct. 

(8) Evidence Relied Upon 

2004/014,8520 (U.S. Publication) Talpade 07-2004 

(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 
Claim Rejections - 35 USC §102 

Ql^^^ l%r ^^-^7 ^1^4 9? are rejected under 35 U.S.C. 102(e) as 
being anticipated by Talpade et al (hereinafter referred as Talpade) (U.S. 

Publication No. 2004/0148520) (filed on January 29, 2003) 

A? pgr in4gffgn4gnt glaimg 1 an4 ^3 Talpade discloses a method for 
responding to network intrusions, comprising: [Abstract] ( 
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• a) receiving an intrusion detection system (IDS) alert from an IDS 
sensor [Figure 2, ref. Num "234" and "236"/sensor] located in a network of 
computing resources [figure 2, ref. Num "204", customer network] wherein 
said IDS alert indicates an unauthorized intrusion upon a remotely located 
computing resource in said network of computing resources; [Abstract] (As 
explained on the abstract, A sensor shown on figure 2, ref. Num "214" and 
"236" examines the traffic entering the remotely located customer network 
shown on figure 2, ref. Num "204" and "206" for attack traffic. When an attack 
is detected, the sensor notifies an analysis engine within the ISP network to 
mitigate the attack. Therefore the analysis engine as shown on figure 2, ref. 
Num "232" which is also located remotely with respect to the customer 
computing resource network shown on figure 2, ref. Num "204" and "206" is 
notified the IDS alert indicating an unauthorized intrusion/ attacks) 

•b) identifying said IDS alert; [See paragraph 0023] (The analysis engine 
shown on figure 2, ref. Num "232" identifies the DDoS attacks /intrusion when 
receiving a DDoS notification/intrusion notification from the sensor located 
remotely as shown on figure 2, ref. Num "234" and "236" ) and 

• c) determining an appropriate response to said IDS alert [For example 
see Abstract, "the analysis engine as appropriate response to said UDS 

alert/ notification for instance, configures a filter router to advertise new routing 
information"] that is identified at a location separate from said remotely 
located computing resource [figure 2 and Abstract] (The computing resources 
are located in side the customer network shown on figure 2, ref. Num "204" and 
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"206", however the Ids alert is identified first at the sensor located at the sensor 
shown on figure 2, ref. Num. "234" and "236" which is separate from said 
remotely located computing resource located inside the customer network shown 
on figure 2, ref. Num "204" and "206". Furthermore, the Ids alert is also identified 
at the analysis engine shown on figure 2, ref Num "232" which is also separate 
from said remotely located computing resource located inside the customer 
network shown on figure 2, ref. Num "204" and "206"] so that said determining 
said appropriate response is unaffected by said unauthorized intrusion (As 
explained on the abstract, A sensor shown on figure 2, ref. Num "214" and "236" 
examines the traffic entering the remotely located customer network shown on 
figure 2, ref. Num "204" and "206" for attack traffic. When an attack is detected, 
the sensor notifies an analysis engine within the ISP network to mitigate the 
attack. Therefore the analysis engine as shown on figure 2, ref. Num "232" which 
is also located remotely with respect to the customer computing resource network 
shown on figure 2, ref. Num "204" and "206" is notified the IDS alert indicating 
an unauthorized intrusion/ attacks and an appropriate response to said 
unauthorized intrusion is taken by the analysis engine such as configuring a filter 
router or diverting the traffic. Therefore such appropriate response is unaffected 
by said unauthorized intrusion.) ; and 

• d) automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized 
intrusion by isolating said remotely located computing resource, 
[paragraph 0024-0027 and abstract] (See for instance on paragraph 0024, 
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"automatically mitigates the attack by configuring one or more filter routers. 
Furthermore As it is explicitly disclosed on the abstract, When an attack is 
detected, the sensor notifies an analysis engine within the ISP network to 
mitigate the attack. The analysis engine configures a filter router to advertise new 
routing information to the border and edge routers of the ISP network. The new 
routing information diverts/ reroute all traffic (attack traffic/ intrusion and non- 
attack traffic) destined for the customer network to the filter router. Therefore by 
doing so, the remotely located computing resource/ customer network is isolated 
from receiving any traffic what so ever, until the filter router, filters and remove 
the attack traffic. It is only after the attack traffic/ intrusion is filtered at the filter 
router that the non-attack traffic is passed back onto the ISP network for routing 
towards the customer network. Therefore it is undoubtedly clear that the 
computing resource is isolated from unauthorized intrusion/ attack traffic, so that 
the appropriate response to mitigate the damage to the said network of computing 
resources is automatically implemented. ") 

As per dependent claims 2 and 24 T aloade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore 
Talpade discloses the method wherein, wherein a) further comprises: al) 

detecting a suspicious intrusion into said computing resource; [Abstract 
and figure 2 and particularly, figure 2, ref. Num "234'7sensor,] (The computing 
resources are inside the customer network shown on figure 2, ref. Num "204" 
and "206") 
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a2) determining said suspicious intrusion is unauthorized; [Paragraph 00 1 7] 
(Sensor detects an attack) a3) generating said IDS alert; [See, Abstract, 
notification generated by the sensor] and a4) sending said IDS alert to an IDS 
manager that is located remotely from said computing resource within 
said network of computing resources. [Paragraph 0024, "the IDS 
alert/ notification is sent to the Analysis engine and consequently to the ISP 
policy manager. Therefore ISP manager located remotely is notified and this 
meets the limitation of sending said IDS alert to an IDS manager that is located 
remotely from said computing resource within said network of computing 
resources.] 

As per dependent claims 3 and 25 T alnade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore 
Talpade discloses the method, wherein a2) further comprises: determining 
said suspicious intrusion is unauthorized when said suspicious intrusion 
matches with at least one of a list of unauthorized intrusions. [Figure 2, 
ref. 248 "filter sensors in side the sensors shown on figure 2, ref. Num "234" 
and "236", filtering inherently contains matching. Furthermore on paragraph 
0020-0022, how sensor 234/236 monitors all traffic entering the customer 
network is disclosed.] 

As per dependent claims 4-5 and 26-27 Talnade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore 
Talpade discloses the method, wherein comprises: detecting said 
suspicious intrusion at a host-based intrusion detection system (HIDS) 
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sensor and network-based intrusion detection system (NIDS) sensor 
located within said network of computing resources. [See sensor located 
within said network of computing resources shown on figure 2, ref. Num "234" 

and "236". Furthermore on paragraph 0020-0022, how sensor 234/236 
monitors/ detects all traffic entering the customer network is disclosed. Finally 
on paragraph 002 1 the following has been disclosed. "Note that in accordance 
with our invention, other types of sensor filters 248 beyond those described 
above can also be provisioned at the sensors 234/236" and this meets the 
limitation of any sensor that could be installed within the customer network or 
within network of the computing resources) 

As per dependent claims 11 and 33 T alnade discloses a method for 
responding to network intrusions as applied to claims above. Furthermore 
Talpade discloses the method wherein said network of computing 
resources comprises a provisional data center. [See paragraph 0007, SOHO, 
Small office customer/ home office customer which are located inside the Figure 
2, ref. Num "204" and "206" inherently contain some kind of data center.) 

(10) Response to Argument 

Referring to the independent claim 12, 

Appellant's argument presented in the brief, specifically on the last three 
lines of page 11, is found to be persuasive. Talpade fails to recite the 
limitation such as "interfacing with at least one switch in said network 
of computing resources to virtually reconfigure said at least one 
switch, an associated switch..." recited in independent claim 12. 
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For this reason the rejection set forth in the previous office action to 
claims 12-22 are withdrawn. 

Referring to the dependent claim 6-7, 28-29, claims 6-7 and 28-29 
recites similar limitation as that of claim 12, which is not specifically 
recited by the reference on the record. For instance the following 
limitation such as "dl) interfacing with a power controller that 
controls power to said computing resource to shut power to said 
computing resource" and "dl) interfacing with at least one switch, an 
associated switch, in said network of computing resources..." recited 
in above dependent claims is not disclosed by the reference on the 
record. 

Furthermore claims 8-10 and 30-32 depend on claims 7 and 29 
respectively. 

However, Appellant's remark/ arguments, appeal brief, filed on November 
30, 2007, regarding claims 1-5, 11, 23-27 and 33 have been fully 
considered but they are not persuasive. 

Appellant asserts that the rejection of the independent claims 1 and 23 

are improper: arguing that the reference on the record, namely Talpade 
fail to teach the feature/ limitation, "...automatically implementing said 
appropriate response to mitigate damage to said network of computing 
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resources from said unauthorized intrusion by isolating said remotely 
located computing resource." 

Examiner counters that a careful reading of Talpade reveals that such 
feature/ limitation is indeed taught at the passage cited in the rejection of 
the claims in the final office action. 

For instance, Talpade at least on the abstract discloses the following. 

"Service attacks, such as denial of service and distributed denial of service 
attacks, of a customer network are detected and subsequently mitigated by the 
Internet Service Provider (ISP) that services the customer network. A sensor 
examines the traffic entering the customer network for attack traffic. When an 
attack is detected, the sensor notifies an analysis engine within the ISP 
network to mitigate the attack. The analysis engine configures a filter 
router to advertise new routing information to the border and edge routers 
of the ISP network. The new routing information instructs the border and 
edge routers to reroute attack traffic and non-attack traffic destined for 
the customer network to the filter router. At the filter router, the attack 
traffic and non-attack traffic are automatically filtered to remove the attack 
traffic. The non-attack traffic is passed back onto the ISP network for routing 
towards the customer network" and this meets the following limitation, 
"automatically implementing said appropriate response to mitigate damage to 
said network of computing resources from said unauthorized intrusion, by 
isolating said remotely located computing resource" 
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As it is explicitly disclosed on the abstract, when an attack is detected, the 
sensor notifies an analysis engine within the ISP network to mitigate the 
attack. The analysis engine configures a filter router to advertise new routing 
information to the border and edge routers of the ISP network. The new routing 
information diverts/ reroute all traffic (attack traffic/ intrusion and non- 
attack traffic) destined for the customer network to the filter router. Therefore 
by doing so, the remotely located computing resource/ customer network shown 
on figure 2, ref. Num 204 is isolated from receiving any traffic what so 
ever, until the filter router, filters and remove the attack traffic. 

It is only after the attack trafQc/ intrusion is filtered at the filter 
router that the non-attack traffic is passed back onto the ISP network for 
routing towards the customer network. 

Therefore, computing resource shown on figure 2, ref. Num 204 is 
isolated from unauthorized intrusion/ attack traffic, so that the appropriate 
response to mitigate the damage to the said network of computing resources is 
automatically implemented. 

Furthermore examiner would also like to point out that on paragraph 

0032, the following has been disclosed. 

"In accordance with our invention, when a sensor, such as sensor 234 
associated with customer network 204, detects a DDoS attack and notifies the 
analysis engine 232 of this event, the analysis engine configures the filter router 
230 to advertise new routing information. The filter router advertises this new 
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routing information using the eBGP session it maintains with each border and 
edge router. The new routing information advertised by the filter router 
instructs the border and edge routers that all DDoS and non-DDoS traffic 
destined for the customer network 204, for example, should now be routed 
to the filter router 230 via the IP-in-IP tunnels." 

This implies the fact that after the sensor in the customer network 204 
detects the intrusion and notifies the analysis engine which is remotely 
located with respect to the customer network 204, traffic which is 
supposed/ destined to go to the customer network is re-routed to the 
filter router 230. This implies that the customer network is virtually 
isolated from all traffic (malicious and non-malicious) for a certain period 
of time, until the malicious traffic is filtered. One of ordinary skill in the 
art would understand that there will be a certain period of time spent not 
only for diverting all the traffic (malicious and non-malicious) to the filter 
router 230 but also to filter the malicious traffic at filter router 230, 
before the traffic (only non-malicious) is sent back to the customer 
network. Examiner asserts that, this delay is inevitable regardless the 
speed that takes to remove the malicious traffic at the filter router shown 
on figure 2 ref. Ref. Num 230. Furthermore, it is not also difficult to 
visualize that, this is a price you pay for implementing such a method 
mentioned in Talpade. Thus for that period of time at least until the 
filter router filters the malicious traffic, the customer network is virtually 
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isolated from any kind of traffic and this meets the limitation recited 
"automatically implementing said appropriate response to mitigate 
damage to said network of computing resources/ customer network 204 
from said unauthorized intrusion by isolating said remotely located 
computing resource/ resource in the customer network shown on 
figure 2, ref. Num 204." 

Appellant on page 9 of the appeal brief, paragraph 3, argued that by 
"isolating said remotely located computing resource" the resource can 
continue to operate even after it has been isolated, for example by 
removing its network connections, which means that its state may be 
saved, and/ or enables someone to examine an intrusion, such as 
malicious code, in action (for example by using the system console 
to log in) without fear of the "unauthorized intrusion" spreading. 
Furthermore on the appeal brief on page 9, paragraph 4, appellant 
presented the following in support of his argument. "Isolating said 
remotely located computing resource," which provides for protecting 
assets within the customer's network regardless of the source of the 
attacks, provides for an implementation that can reside anywhere in 
a network topology, and provides for the isolated resource to 
continue to operate even after it has been isolated." 
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Examiner asserts that in response to Appellant's above argument that 
the references fail to show certain features of applicant's invention, it is 
noted that the features upon which applicant relies (i.e., advantages / 
benefits that the invention provides) are not recited in the rejected 
claim(s). Although the claims are interpreted in light of the specification, 
limitations from the specification are not read into the claims. See In re 
Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 
Appellant on page 9 of the appeal brief, last paragraph, argued and wrote 
the following regarding the reference on the record. 

"Appellant further notes that by teaching that it is difficult to mitigate 
DDoS attacks at the target (refer to lines 1 7 and 18 of paragraph 0007), 
teaching that conventional systems require dedicated hardware (refer to 
lines 1-4 of paragraph 0007) in combination with teaching rerouting at the 
ISP; Talpade teaches away from "isolating said remotely located 
computing resource. " 

Examiner disagrees with Appellant's characterization of the teaching of 
the prior art. For instance Talpade neither require a dedicated hardware 
installed in the customer network to mitigate the problem nor mitigate 
DDoS attack at the target. Unlike, Appellant's argument these features 
are the disadvantage of the prior system which Talpade inventions is 
trying to solve. [Please see par. 0007]. 
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As the result, the above deduction made by Appellant that Talpade 
teaches away from "isolating said remotely located computing resource" 
is not persuasive. 

(1 1) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the 
examiner in the Related Appeals and Interferences section of this 
examiner's answer. 

For the above reasons, it is believed that the rejections should be 
sustained. 

Respectfully submitted, 

/Samson B Lemma/ 

Examiner, Art Unit 2132 

/ Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 
Conferees: 

/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 

Matthew Smithers /Matthew Smithers/ 

Primary Examiner 
Art Unit 2137 



